It is based on a computationally difficult problem - the discrete logarithm problem in multiplicative group

OF MATHEMATICS

Volume 2, Number 3, Pages 215–220 ISSN 1930-1235: (2008)

A NEW ENCRYPTION AND SIGNING ALGORITHM.

Urszula Romaczuk

John Paul II Catholic University of Lublin, Lublin, Poland

urszula [email protected]

Abstract. In this paper we describe a new method of encryption that orig- inates from the public key cryptography and number theory. Our algorithm was inspired by the RSA algorithm and Diffie-Hellman key exchange proto- col. It is based on a computationally difficult problem - the discrete logarithm problem in multiplicative group.

1. Basic idea

Let A and B be users that communicate in a secure channel based on public key cryptography. A is a sender and B is a receiver of a message. Hence, each of them have a pair of keys - public and private. A has pair (kA, l_A) , B has (kB, l_B) (k_A, k_B are private keys and l_A, l_Bare public keys). Assume that A wants to send c (that is encrypted message m) to B.

Let f denote the encryption function and let f⁻¹ denote the corresponding decryption function. In asymmetrical cryptography arguments of the function f are: receiver’s public key l_B and plain text m, that is

c = f (m, l_B),

where c is ciphertext. The decryption function’s f⁻¹ arguments are: the receiver’s private key k_B and ciphertext c. In our case:

f⁻¹(c, k_B) = m.

In this paper a different approach is presented. Namely, arguments of the en- cryption function are: plaintext m, the receiver’s public key l_B and the sender’s private key k_A. Hence

c = f (m, l_B, k_A).

Similarly, arguments of decryption function f⁻¹ are three parameters, that is:

ciphertext c, receiver’s private key k_Band sender’s public key l_A. We have f⁻¹(c, k_B, l_A) = m.

This cross-keyed approach in both encryption and decryption functions aims not only at encrypting and decrypting, but also at signing, simultaneously. That makes receiver A ensured that B is an authentic sender of a message. Then, the sender cannot deny his authorship of a message, that is the authentication of the sender and typical digital signature take place at the same time. Hence, that signature

c

2008 Aulona Press (Albanian J. Math.) 215

2. Description of encryption and digital signature algorithm.

In this paper I assume that the reader has basic knowledge in abstract algebra and number theory.

Let Zndenote the additive group of integers residues modulo n and let Z^∗ndenote the multiplicative group of integers residues modulo n, where n is a natural integer.

Let ϕ be Euler’s function, that is, if m is a natural integer then ϕ(m) denotes the number of integers that are less than m and relatively prime to m.

Lets assume A and B are going to communicate. First, each of them has to generate a pair of keys: public and private. Now they are ready to send each other a secret message.

Let (k_A,l_A) be the pair of keys that belong to user A. Similarly, let the pair (k_B,l_B) belong to user B.

1.: Keys generation.

1.1.: Both users set:

- two positive integers q and n, where q is prime. It is important to choose such integers that the discrete logarithm problem in Z^∗ϕ(qⁿ)is computation- ally difficult,

- integer g ∈ Z^∗ϕ(qⁿ)has such a property that it generates the biggest sub- group of multiplicative group Z^∗ϕ(qⁿ). It would be best if g generates the entire group Z^∗ϕ(qⁿ), so that the group would be cyclic. Of course:

gcd(g, ϕ (qⁿ)) = 1 and g 6= 1.

Function gcd(n, m) denotes the greatest common divisor of integers n and m.

1.2.: Next, user A chooses randomly x ∈ Z^∗ϕ(ϕ(qⁿ)), user B chooses y ∈ Z^∗ϕ(ϕ(qⁿ))

and they compute g^x, g^y modulo ϕ (qⁿ). If

g^x≡ 1 (mod ϕ (qⁿ)) , or g^y≡ 1 (mod ϕ (qⁿ)) ,

then x or y must be chosen randomly again. Clearly, ϕ (qⁿ) = qⁿ⁻¹(q − 1).

1.3.: Both users agree on a hash function h which is used to generate a digital signature.

Then, for user A:

- private key is k_A= x,

- public key l_A= ( g^x, q, n, h ) . (User B: k_B= y, l_B= ( g^y, q, n, h )).

Let m ∈ Z^∗qⁿ. Lets assume that user A is going to send message m to user B.

Moreover, m is both encrypted and signed, so B receives (c, p), where c denotes ciphertext and p denotes the signature of that ciphertext.

Communication schema between users A and B.

2.: Encryption and signature. (User A).

2.1.: Gets public key of user B, lB= ( g^y, q, n, h ) and computes:

k ≡ (g^y)^x≡ g^xy(mod ϕ (qⁿ)) . 2.2.: Next, he encrypts message m:

m^k≡ c (mod qⁿ) .

2.3.: Generation of signature p is as follows. Firstly:

r ≡ c^k(mod qⁿ) .

Secondly, using hash function h, he computes signature p = h (r).

2.4.: Ciphertext c and signature p is sent to user B.

3.: Decryption and verification. (User B).

3.1.: After receiving ciphertext c⁰ and signature p⁰ from user A, he gets the public key of user A lA= ( g^x, q, n, h ) . Next he computes k and k⁻¹:

k ≡ (g^x)^y≡ (g^xy) (mod ϕ (qⁿ)) , k⁻¹≡ (g^xy)⁻¹(mod ϕ (qⁿ)) . 3.2.: In the next step B computes :

r⁰≡ (c⁰)^k(mod qⁿ) .

3.3.: By using hash function h he gets p⁰, so p⁰= h (r⁰). Next he checks that no enemy pretends to be the valid sender, that is, the following equation must occur:

p⁰= p⁰⁰.

If so, that means nobody faked the ciphertext c⁰, hence c = c⁰. Additionally, authentication of user A takes place at this moment, because the only persons that can compute k are A and B. Now B is ready to process decryption of ciphertext c.

3.4.: Decryption of ciphertext c is as follows:

c^k−1 ≡ m (mod qⁿ) . and that is all.

Notice that the existence of the of inverse of the element g^xy in group Z^∗ϕ(qⁿ) is a sufficient condition of verification. Let us assume that such an (g^xy)⁻¹ exists in that group. Then we have

c^k−1 ≡h

m^gxyi^(gxy)−1

≡ m^gxyg−xy ≡ m (mod qⁿ) .

In fact, now it is sufficient to prove that the element (g^xy)⁻¹ exists in group Z^∗_ϕ(qn).

decryption is correct.

The strength of the described algorithm lies in the fact that having public keys of the sender and the receiver there is no possibility that an enemy gets the private key of neither sender nor receiver.

Indeed, we know public keys of users A and B because they publish their keys in public: l_A = ( g^x, q, n, h ) and l_B = ( g^y, q, n, h ). An enemy has no possibility of computing the private key of A: kA = x. The element g^x ∈ Z^∗_ϕ(qn), ϕ (qⁿ) = qⁿ⁻¹· (q − 1) (as it’s easy to prove). However, even if a generator g of a subgroup of the group Z^∗ϕ(qⁿ) was published publicly, the expression x would be based on a computationally hard problem, that is on discrete logarithm problem. Of course, we have to carefully choose a prime q and a natural integer n. Hence, an enemy not only has to compute private keys of sender and receiver, but additionally he has to guess the generator g that was used in encryption.

Notice that if an enemy catches both ciphertext and signature (c, p), which was sent by user A to B, then he also knows public keys : lA = ( g^x, q, n, h ) and l_B = ( g^y, q, n, h ). However, he does not know the generator g of a subgroup of the group Z^∗ϕ(qⁿ) and private keys of A and B, recpectively kA = x and k_B = y.

It is clear that x, y ∈ Z^∗ϕ(ϕ(qⁿ)), ϕ (ϕ (qⁿ)) = qⁿ⁻²· (q − 1) · ϕ (q − 1). Of course, having this information, somebody can try brute force attack and check in turn every element of Z^∗ϕ(ϕ(qⁿ)), but, as we know, if we choose a group of big enough order, then finding x to compute k, that is.

k ≡ (g^x)^y≡ (g^xy) (mod ϕ (qⁿ)) ,

takes a large amount of time, up to a dozen or so years. Additionally k⁻¹ must also be found to decrypt the ciphertext c.

3. Conclusion.

In choosing an adequate multiplicative group Z^∗qⁿ, where q is prime and n is nat- ural integer, it is important for the group Z^∗ϕ(qⁿ)to be cyclic. This guarantees that the ciphertext set extends to the maximum and the number of constant elements is minimal and equal 2 (that is elements where f (m) = m, where f is an encryption function and m ∈ Z^∗qⁿ, these elements are m = 1 and m = qⁿ− 1, because 2|#Z^∗qⁿ, where #Z^∗qⁿ = (q − 1) qⁿ⁻¹ is rank of a group Z^∗qⁿ ). This is indeed so, because the Abelian group G of rank n is a cyclic group, if and only if for any divisor d of n, there are exactly d elements fulfilling the condition x^d= e, where e is a natural element of the group.(See: [1])

After conducting research on multiplicative groups Z^∗qⁿ of residues modulo qⁿ, where q is prime and n is natural integer such as n > 1, I came to the conclusion that the most effective multiplicative group in the described method of encryption is Z^∗3ⁿ, that is, when q = 3. This is so, because group Z^∗ϕ(3ⁿ) = Z^∗2·3ⁿ⁻¹ is cyclic, that is, a generator g exists, which generates the entire group Z^∗ϕ(3ⁿ)and not only

its subgroup and, as well, group Z^∗ϕ(ϕ(3ⁿ))= Z^∗2·3ⁿ⁻²is cyclic, that is, a generator g⁰ exists, which generates the entire group Z^∗ϕ(ϕ(3ⁿ)) and not only its subgroup. This means that the set of possible private and public keys extends to maximum size, that is x, y ∈ Z^∗ϕ(ϕ(3ⁿ)) and g^x, g^y∈ Z^∗_ϕ(3n).

Indeed this is so because the following fact occurs: if p is an odd prime, for any natural integer n, the multiplicative groups Z^∗pⁿand Z^∗2pⁿare cyclic groups.(See: [2], [3])

After my research on groups of the form Z^∗qⁿ, n > 1, I noticed that if we take a prime q 6= 3 and we apply it to the encryption algorithm, then there exist many fixed points. That means that there exists message m ∈ Z^∗qⁿ, which stays unchanged after encryption, that is c = m. For Z^∗3ⁿwe don’t have that problem, because then every message m 6= 1 and m 6= (3ⁿ− 1) after encryption is different from ciphertext c. It is indeed so, because, in my opinion, the following hypothesis, which stems from my research, is true: the group Z^∗ϕ(qⁿ) , n > 1 and for odd prime q is cyclic if and only if is odd prime q = 3. It was Professor Thomas Bier who reassured me that the above mentioned hypothesis is correct by proving this fact.

So far, I haven’t come across any evidence in literature, which could prove that in the group Z^∗3ⁿ or Z^∗2·3ⁿ⁻¹ , the discrete logarithm problem is computationally simple. Thus, it would be an interesting open problem to find such an algorithm, which would solve the problem of the discrete logarithm in the groups Z^∗3ⁿ and Z^∗2·3ⁿ for large values of n, given that such a discovery is possible today.

According to one theory, the discrete logarithm in the group Z^∗n when n has small prime factors is not a computationally difficult problem and is easy to solve.

Regardless, there is no know algorithm for breaking the discrete logarithm in the proposed group Z^∗3ⁿ or Z^∗2·3ⁿ⁻¹ for sufficiently large n, though in the above men- tioned group we have small prime factors.

When n = 1, we have a multiplicative group Z^∗q of residues modulo q. As we know, the multiplicative group Z^∗ϕ(q)is not cyclic for every prime number. However, when e.g. the prime number q is in the form q = 2p + 1 where p is a large Sophie Germain prime, then Z^∗ϕ(q) = Z^∗2p is cyclic. Keep in mind that: a prime p is a Sophie Germain prime if both p and 2p + 1 are prime. We do not yet know if an infinite number of Sophie Germain primes exist.(See: [5] )

Continuing with this argumentation, if the prime number is in the form q = 2p^m+ 1 where m is a natural integer and p is an odd prime number, then it becomes ob- vious that, in this case, Z^∗ϕ(q) = Z^∗2p^m is cyclic (numbers in the form q = 2pⁿ+ 1 where p is an odd prime and m is a natural integer do indeed exist, for example 163 = 2 · 3⁴+ 1, 251 = 2 · 5³+ 1, 487 = 2 · 3⁵+ 1, 2663 = 2 · 11³+ 1). I do not know how many such numbers q = 2pⁿ+ 1 exist nor could I find any forms of such numbers in published literature. As far as I know q = 2pⁿ+ 1 is not a prime number for every prime p and natural integer m. Let us say that a prime power p^e is called a Sophie Germain prime power iff p is odd and q = 2p^e+ 1 is also a prime number, or if p = 2 and e = 0, 1.

Hence, the as yet unanswered question arises: for which other prime numbers q will the group Z^∗ϕ(q) be cyclic. I would be very interested in getting familiar with other suggestions regarding this open problem and the method of encryption proposed.

Attaching a signature is necessary to detect if somebody else pretends to be the sender of the message. Notice that determination of k which is used in encryption and decryption, can be done easily and independently only by sender and receiver.

Acknowledgments: I would like to express my deepest gratitude to Profes- sor Vasyl Ustymenko and Professor Thomas Bier for their guidance and kindness, as well as their helpful advice and valuable suggestions. In would like to particu- larly thank Professor Jerzy Urbanowicz for inspiration and encouragement, without which this cryptosystem wouldn’t have come into existence.

References

1. Bagiski Czesaw ,,Introdution to group theory”, SCRIPT, Warsaw 2002

2. Ireland Kenneth, Rosen Michael, ,,A Classical Introduction to Modern Number Theory”, Springer, New York 1988

3. Leveque William Judson ,,Fundamentals of Number Theory”, Addison-Wesley Publishing Com- pany, 1977

4. Schneier Bruce ,,Applied Cryptography”, WNT, Warsaw 1995.

5. Ribenboim Paulo ,,The Little Book of Big Primes”, Springer-Verlag, New York Berlin Heidel- berg 1991

6. Urbanowicz Jerzy Eugeniusz ,,Asymmetrical cryptography” - undergraduate lecture for IV/V - year students of mathematics at KUL in 2005/2006.